Language selection

Search

The Privacy Act in brief

Overview

Governments need information about their citizens in order to deliver programs and set public policies.

At the same time, Canadians need to know that their personal information is being collected and used only according to strict rules that preserve their right to privacy. See the Policy on Privacy Protection for more information.

The Privacy Act is the law that sets out your privacy rights in your interactions with the federal government. It applies to how the government collects, uses and discloses your personal information. The Privacy Act protects your personal information that government institutions hold. The Act also gives you the right to access your personal information held by the federal government.

On this page

Where the Privacy Act applies

The Privacy Act applies to the government’s collection, use, disclosure, retention or disposal of personal information in the course of providing services such as:

  • old age security benefits
  • employment insurance
  • border security
  • federal policing and public safety
  • tax collection and refunds

The Act applies to federal government institutions listed in Schedule 3 of the Privacy Act, as well as to Crown corporations.

All provinces and territories have laws governing their public sectors.

The Privacy Act does not apply to:

  • political parties
  • political representatives (that is, members of Parliament and senators)
  • courts
  • private sector organizations

What is personal information?

The Privacy Act defines personal information as any recorded information about an identifiable individual including:

  • race, national or ethnic origin, colour, religion, age or marital status
  • education, medical, criminal or employment history of an individual or information about financial transactions
  • any assigned identifying number or symbol
  • address, fingerprints or blood type
  • personal opinions or views except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution
  • private or confidential correspondence sent to an government institution
  • the views or opinions of another individual about the individual
  • the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution
  • the name of the individual where it appears with other related personal information or where the disclosure of the name itself would reveal information about the individual

What is not included?

For certain provisions of the Privacy Act, personal information does not include:

  • certain professional information about an individual who is or was an officer or employee of the federal government
  • certain professional information about an individual who is or was performing services under contract for a government institution that relates to the services performed
  • certain information relating to any discretionary financial benefit, including the granting of licences or permits to an individual
  • information about an individual who has been dead for more than 20 years

Requirements for handling personal information

Collection

According to the Privacy Act:

A government institution can only collect your personal information if it directly relates to the operation of one of its programs or activities. A government institution must collect this personal information directly from you whenever possible unless:

  • you authorize otherwise, or
  • it is one of the situations specifically mentioned in the Privacy Act that allows for a government institution to disclose your personal information to another institution(see section 8(2) of the Act)

A government institution must normally inform you about why the information is being collected unless informing you about why it is being collected might:

  • result in the collection of inaccurate information
  • defeat the purpose for which the information was being collected or prejudice its use (for example, if an individual is facing a criminal investigation)

Use

Unless you consent to other uses, the government may only use the personal information for:

  • the purpose for which it was collected or a use consistent with that purpose
  • for other specifically identified purposes listed in the Privacy Act (see sections 7(b) and 8(2))

Accuracy

A government institution must take all reasonable steps to ensure that the personal information it uses about you is accurate, up-to-date and complete as possible.

Retention

  • Your personal information that has been used by a government institution for an administrative purpose must be retained for at least two years unless you consent to its disposal.
  • If you make a request for access to the information, it must be retained until you have the opportunity to exercise all your rights under the Act.

Read the Regulations on retention of personal information used for an administrative purpose for more details.

Disclosure

Personal information under the control of a government institution cannot be disclosed without your consent except in specific circumstances, such as:

  • for the original purpose for which the information was collected or a use consistent with that purpose
  • where the disclosure is authorized in federal legislation
  • to comply with subpoenas, warrants or orders of a court or another body with authority to compel information
  • where disclosure would clearly benefit the individual
  • where the public interest in disclosure outweighs any invasion of privacy

See our publication The Privacy Act and public interest disclosures for more information.

Right to access personal information

All individuals, whether they are within or outside Canada, may request access to any personal information about themselves under the control of a federal institution.

To request access, make a written request to the federal institution that holds your personal information. You can make the request directly yourself, or through an agent. The request must provide enough specifics about the information so that it is reasonably retrievable. 

Such specifics could include the related government program and date the information was collected. For example, an employment insurance claim from 2014.

For information about how to do this, see our guidance on accessing your personal information. There is no charge to request access to your personal records. Ordinarily, the institution has 30 days to respond to requests for access. However, this deadline can be extended in limited and specific circumstances, when:

  • meeting the original deadline would unreasonably interfere with the operations of the government institution
  • consultations are required to comply with the request that cannot be reasonably done within the original deadline
  • time is required for translation or to convert the information into an alternative format

Once the institution grants you access to your personal information, you can check that it is accurate and complete. If it is not, you can send a completed Record Correction Request Form to the institution to ask that corrections, additions or deletions be made. Where a requested correction is not made, a note may be added to the personal information to set out the individual’s views on the matter.

Denying access

Under some circumstances, a government institution may deny access to your personal information. Some examples include:

  • disclosure of the information could harm federal-provincial or international affairs or the defence of Canada
  • the personal information was obtained or prepared by an investigative body specified in the regulations
  • the disclosure of the information could reasonably be expected to threaten the safety of individuals
  • the information is subject to solicitor-client privilege
  • the personal information relates to your physical or mental health, where the examination of the information would be contrary to your best interests

Making a complaint to our Office

When a privacy issue arises, your first step should generally be to try to resolve the issue directly with the institution.

You can raise your concerns with the Access to Information and Privacy (ATIP) coordinator of the institution responsible for the personal information at issue. You can find a list of ATIP coordinators by institution on canada.ca. You can also obtain this information by contacting the institution directly.

If you are still not satisfied with the outcome of the access request, you have the right to file a complaint with our Office.

Our Office can accept complaints about the personal information handling practices of federal institutions subject to the Act. You can file a complaint if, for example, you

  • feel your personal information has been inappropriately collected, used or disclosed
  • you were refused access to your personal information
  • you feel there was an unreasonable delay in getting access to your personal information

Learn more about filing a complaint with the OPC.

Date modified: